Posted
by
CmdrTaco
on Tuesday February 22, 2011 @11:26AM
from the your-password-is-31337 dept.

Orome1 writes "A new type of financial malware has the ability to hijack customers' online banking sessions in real time using their session ID tokens. The OddJob Trojan keeps sessions open after customers think they have 'logged off,' enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital — and online monetary — assets."

OK, I'll bite. How do you access a bank site without a browser? Are you going to make everyone buy a modem again? Use a cell phone? Not trolling, just want another method that non-techie types can use. People can always call up the bank I suppose.
I understand fraudulent transactions are more of a problem in Europe/Germany because wire transfers between banks are free, unlike in the USA.

WEll I take that back. Install the Wine packages and then run the winetricks.sh to install Internet explorer and you can get this working under linux.

Sorry, there is no non techie way to get this trojan working under linux. I guess you will have to suffer with a more secure OS for your banking, instead of complete windows compatibility with the insecurity.

Analogy: cure SARS by not living in Asia. Yeah thats right cure it not by actually eliminating the problem but instead avoiding it and pretending that this makes you completely immune. One day enough people will run linux to make it profitable enough to use the many attack vectors available and you can choke while taking a bite of the humble pie.

When ever I hear Linux as a solution to Trojans/Viruses/etc, I can't help but remember when I was a script kiddy, and how we'd run a few scripts, on a few machines, that would scan an teh internet, and root a fuckload of boxes. Seriously, it was so easy, and the scripts we had would completely root the machine, then fix the hole.

Usually it was a problem with things being misconfigured or un-updated. These weren't just trojans we'd install, they were hardcore rootkits, that you weren't getting rid of anytime

It really is simple: Windows gets hit because that is where the easy marks are and if you switch everyone over tomorrow then by default you bring the easy marks to Linux and the famous Linux security gets turned to crapola 3 minutes later.

As a PC repairman I see the nasties that hit Windows every day, you know what the biggest two are BY FAR? The "ZOMG You got teh Viruz! Run "this_iz_not_a_viruz.exe" to kill it quick! ZOMG!" and the ever popular "Enjoy free (insert new movies, music, porn) all you want just by installing out "this_is_not_a_viruz_codec.exe" today!" Now how in any way shape or form will Linux protect the user from social engineering attacks or from running outdated third party software like Flash or Reader? Gonna hold a gun to their head and force them to update? Hell Windows has had automatic updates for over a decade yet I still see XP SP2 machines cross my desk.

The simple facts are these: as long as the user has the right to install software he also has the right to royally screw the pooch when it comes to malware. Linux by default because it is more "fiddly" and because one has to do step by step troubleshooting with it like go to forum, find relevant topic, launch bash, apply fix, has users that know more about their OS internals and are more security minded. It ain't rocket science folks. Windows got rid of the last legitimate complaint, forcing users to run as admins, more than 3 years ago. But as long as the majority of home and business users have no clue how anything works you are gonna see bugs on whatever OS is dominant because that is where the clueless are. Just look at how we are seeing more malware for Android now that it is becoming popular. With the users come the malware, simple as that. And switching to Linux won't magically give the user a level up in IT knowledge.

Really? It's called an application. You write one specifically for the bank. Also the cost of the electronic transfer doesn't have anything to do with the problem.

That doesn't work, either. The only way to commercially viable would be for a third party to sell such a package (and I used to be in that business). However, if such a thing becomes prevalent enough, it will get hacked as well. Plus, it has to go over the internet anyway unless you expect bank customers to use speical hardware.

It's amazing how simple things are when looked at by uninformed people.

As long as they use some kind of virtual machine / presentation system that is supported by multiple platforms, then there would be no problem.

It'd need some way of presenting text and graphics (using some standardised system to represent that data), a way to control the rendering of that media and finally, a way of describing how interactive client-side behaviour would operate. If everyone agrees on how these three features would be described and represented, as well as how the network protocols would oper

Try reading the definitions for the classifications. You CAN'T turn a "from local" into a "from remote". Vulnerability is also measured with respect to the average, so it doesn't really matter what you use or don't use personally.

P.S.=> Which, in the end, speaks MORE FOR ME, than against me... because, when ALL YOU HAVE IS EFFETE MOD DOWNS, that have NO TECHNICAL JUSTIFICATION BEHIND THEM? You're shown as "helpless henrys"... and you ALL know it! apk

I know, I know, don't feed the trolls.

I'll play along for a moment and keep pretending like the number of vulnerabilities are a valid measure of a system's security. Let's take a closer look at your secunia links: the number for the Linux kernel includes all vulnerabilities from 2003-2011. Windows 7 was released in October 2009. The most severe unpatched vulnerability in the Linux kernel is rated "Less critical," or 2/5. The most severe unpatched Windows vulnerability is rated "Highly critical," or 4/5.

First off, you'd probably do better in the credibility department if you stopped posting anonymous.

Second, whether you're right or not about number of bugs in Linux vs Windows doesn't matter one whit. Linux is more secure than Windows because security through obscurity is a real concept. Just as no one is going to rob a house that only has a coffee table and a gallon of spoiled milk in it, no one is going to spend a lot of time and effort designing a Linux theft-malware, because they can steal a lot more mo

I wasn't trying to draw a distinction in merit between registered users and AC's. But when the AC starts yelling, typing in bold, calling people names "lusers, etc," and starts trying to get into a pissing match about who's accomplished more than who, they're living up to the "coward" part of the AC handle.

If you're gonna come on here and fling insults, and jockey about acting as though you're better than everyone else, at least have the guts to register a name so that you have to face the consequences of y

Trusteer's research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods.

No one thought it important enough to list the banks being targeted? Or is this "professional courtesy" on the part of whatever law enforcement agency is conducting the investigation to leave all of the banks' customers in the dark, lest the banks get a bad rep?

Even if they did provide a list, all it would do is offer false complacency to the people whose banks weren't on it. As TFA notes, the trojan is continually being updated, and it's reasonable to assume that they're adding capabilities to attack more banks on a regular basis.

The bank I use (in Mexico) forces you to get a different number from the security token every time you login or make a transaction (they are generated once a minute). If you try to make a transaction using the same token number that was used to login to the bank, the system forces you to get a different number from the token. In theory, this would stop this kind of attack. Why are no other banks doing the same?

Probably because a lot of banks have online systems that seem to be written by Microsoft junkies or people that barely have a Freshman's level of knowledge about programming.

I was dealing with a credit card company web site yesterday (that will remain nameless) that was popping up messages in Firefox and IE8 that it required IE4 or IE5 just yesterday. I also have an account at a regional bank that has similar problems and seems to be stuck with a system that is so strait jacketed by their code that they wo

I've found a bank that works pretty well on Chrome on Linux and have had no problems so far. As to the straight-jacketed banks, I agree with your assessment. Perhaps they can find other tools that give their customers a bit more peace of mind.

Do tell-- how would you avoid this issue? The problem isnt crappy coding on the bank sites, but that these viruses have control over the desktop and are giving real-time control to a remote operator. How is the bank to know that someone else is controlling the workstation?

There's already at least one virus that successfully worked around this with a man in the middle attack: Instead of trying to make a payment directly, it modified a payment you were making. Of course the bank prompted for an authorisation code, but as the user was making a payment they were expecting this, and promptly entered the details, sending some random amount to an account controlled by the virus writers.

The really clever bit was that it also re-wrote the screen display, to make it appear as though

This is why although my bank has a security token thing (it's actually a small Chip & PIN terminal requiring you have the card and know the PIN) it only ever requires this be used when you set up a new payee and the first time you send money to that payee. So outside of a bank customer setting up a new payee anyway and the returned codes being intercepted to set up a different payee quickly enough the best a trojan can do is see your account statements, transfer money between your own accounts and pay money to people you already expect to pay. Yes, this means they can fuck with you, but they can't usefully (to them) steal your money.

Oh, and now I think about it they couldn't usefully do the MITM either, as the input is partially based on the receiving account number or somesuch. So unless they bad guys have an account that matches sufficiently closely the authorisation codes are going to be useless to them.

They have big fat warnings up about how the thing will never be asked for simply for logging in (not that I expect that would stop some stupid people falling to a MITM attack).

Even better are the following devices: Set up payment on bank website. It asks for confirmation showing you the recipient bank account and the amount. On top of that, it shows a bar code with the same information. You then hold your TAN (transaction number) generator against the screen and it scans the bar code. Then, the TAN generator shows the recipient bank account and amount on a display on the generator. You then enter your PIN in the generator and it generates a TAN that is derived from recipient

What is ironic is that IBM Zurich was predicting this exact type of attack.

This is why they made the ZTIC prototype, and is why UBS is using it under their name of the UBS Access Key.

Why is the ZTIC so unique that IBM made it? Couple reasons:

1: Simplicity. Plug it in a USB port, it makes a secure connection through the computer to the bank, and no matter how trashed the host computer is, the worst it can do is stop the connection. It confirms access and transactions on the device, so even if the web bro

For those of us without cell phones, would there be any serious issues with being able to use one OTP generator for multiple sites? A trust authority issues them, and can verify that you are you to the given organization. A keylogger could gank the code and use it for something else, sure, but if I'm not mistake nthat could happen anyway with per-site.

It sounds like this isnt hijacking that hardware dongle's "token", but the browser's login "token". That is, the user clicks "log off", but the trojan intercepts that request and presents a phony "logged off" page, while keeping the session open (or alternatively keeps the session open after the browser is closed). It then relays to the C&C server "hey, i have an active bank session here!", where someone operating said server can relay commands to the trojan. At this point, said operator basically ha

As the parent was saying, the token is also used to confirm the transactions after they've been entered - the bank, naturally, doesn't trust the session until it times out or is logged off.

This same process is also used by my bank on the other side of the world - this closes many potential vulnerabilities - this one with the expiring session; phishing (since even if you get the user to login to a fake site, you can't transfer the funds), cross-site scripting usages to submit data to bank sites, etc. Heck, i

Unless it's a signing token (where you enter the payment details to generate the secureity code) this won't necessarily help, since this sort of man-in-the-browser attack is able to modify the payment details that you submit to the Bank's server... and at the same time modify the confirm/receipt screen served back to you, so that from your perspective it looks like you performed your intended transaciton (and entered your token security code), but in fact, the payment has gone off to the attackers desired a

Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.

They hijack the session and keep it alive on the server.
An internet banking application should implement absolute session timeout which should expire regardless of keepalive requests from a users after 24 hours, for example.

I was about to reply "use a (non-windows) live cd and a non-IE browser and you are safe". If the session is kept alive on the server, that's an entirely different problem. But wouldn't a session be usually "identified" by the presence of a client-side cookie (or another client-side authentication token)? I mean, if the client shuts down isn't the session automatically terminated?

Self-slap: I hadn't RTFA. "The code is capable of logging GET and POST requests"... "By tapping the session ID token"...
OK. I'll have to turn back to "use an OS that cannot run EXEs and hope it takes very long to deploy a.sh version".

Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.

1. This only holds true if you either A) Use porn mode on your browser
B) Set up your regular browser to automatically delete everything

2. Even if you do #1, it will not help against this particular Trojan, since it hijacks the session.

Even TFS should have given you enough information to conclude that closing your browser and clearing your cache isn't going to do shit.

The article mentions that since the trojan hijacks the session, and can play man-in-the-middle, it will block your logout request to the bank. This makes the end user feel they did log out, but the trojan has kept the session alive. This makes me wonder if that is why my bank's online banking has an annoying pop-up each time I log out- so that I know for a fact that I am logged out. But the feature still pisses me off, as I cannot immediately browse to another page without clicking "OK".

So what you need to do is unplug your computer from the internet for 30 minutes (or however long it takes for the session to expire) after each online banking session. And hope that the banking site validates session ids against IP addresses....

If you have a virus on your computer, it doesnt matter what OS or browser you use. This thing could be a usermode rootkit running a usermode driver, intercepting all network calls made by said user and rerouting them. Once you have the virus its too late.

Its only market share which has saved Linux and Mac from getting their comeuppance; a good number of the flaws out there would have no issue exploiting the PDF or Flash or Java plugins through Firefox running on Mac or Linux. Even up-to-date plugins have

That is not correct. Claiming "it keeps on running" implies that there is a process or thread open using iexplore.exe, which is not true. Ieframe.dll is used by explorer, but if you close explorer that dll handle also closes.

It is tied into the OS in that it is used for rendering quite a lot, from help files to web pages to Steam's interface, but I dont see any reason you cant close all IE handles.

The article says that OddJob targets both Internet Explorer and Firefox, so apparently just switching to Firefox would not be enough.

As a Linux user, I noticed that the article does not mention anything one way or the other about other operating systems such as Linux or Mac OS. The article also does not mention other less common browsers such as Opera. If there were enough Linux users to be worth targeting, I wonder if they could come up with a Linux version of OddJob, or not?

"The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing."

Now, I don't know Trusteer's rep, but when I see a story like this that originates from what appears to be a source that's in the business of selling security software, I want a second opinion from another source. A quick "google" for OddJob finds stories that all seem to tie back to Trusteer's blog entry. This story also doesn't say much about platform sensitivity. Is this an issue on any OS platform that uses Firefox, for example?

This product is to be avoided at all costs...if anyone is still having problems, I have managed to switch it off and uninstall it, altho' the Rapport/Trusteer team clearly did not want to help, and many believe it's not intended to be uninstalled.

These articles almost never include any information about the OS platform, for some reason. It's very strange; that's fundamental information. But googling around shows that-- as always, when the platform is omitted-- the platform is Windows.

Doesn't help. Web servers do not (and cannot) know when your browser has been closed.

Besides, if the hijacker has done their job properly and you've only ever been communicating with the server you think you're connected to via their proxy, you can't disconnect unless they let you do so.

Okay, so basically it sounds like the programmers did a poor job of implementing state.

Whenever I've done an application (which I don't anymore being a PHB) I always forced closed a session on either logout or browser disconnect. (You never know when that BSOD might hit for those using windows.)

Ah, well, I guess my 75-year-old father-in-law is right in that he refuses to do online banking and insists on going into the branch for every single transaction.:P

A http protocol that, instead of (connect, download, disconnect), allows for a sustained connection throughout the session and then a final disconnect when the session concludes. A persistent connection could mean that your credentials would be valid only for a single connection and logging out would sever that connection and invalidate the credentials. I am sure the idea has been tossed around and thrown out already, but I am curious.

Safest way to bank online is to use a Linux LiveCD.No need to learn Linux, nor even install Linux. Simply boot to a Linux live cd. Nothing is written or saved to anywhere on the computer, so nothing for anyone to copy. It's not booting into windows, so no trojan/virus is there to affect it.

Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

I go the netbook route - they're cheap and disposable. I have one running Linux, and the ONLY thing it does is banking. When I've finished paying my bills, it gets shut down and put back on the shelf.

Seriously, it's one of the great uses of a netbook - dispoable appliance computing.

Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.

Since it's on writable media, this is only true until someone writes a more sophisticated piece of malware. The same applies to a Live CD on a CD-RW to an extent. A Live CD on a finalized CD-R really is immutable.

Yeah yeah yeah and the FBI can point a laser at your window and listen in to your conversations. But practically speaking, booting off a CD image in it's own partition into an operating system that is known to be more resistant to malware is pretty secure. It's is more secure than how people handle the rest of their lives (their front door locks, their car, handling their credit card receipts, etc.).

As long as you trust the source of the LiveCD and it is on non-rewritable media, this is the best solution. The only vector left for the malware writers would be to store their malware in Flash memory in the GPU, NIC, or system chip sets in order to survive a reboot. If nothing is persistent on that machine then the malware has no place to hide. Each time the LiveCD comes up clean despite the state of the possibly infected 'normal' boot disk. Just don't surf the web prior to d

"A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens"

What ever you do don't mention Microsoft Windows..:)

"OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox"

How does the OddJob 'financial malware' get on the computer in the first place. What D

Some banks in Sweden signs the online-transaction with a key generated by a standalone card reader where you enter a security token + date + amount + pin. The key generated is unique for your specific transaction and cannot be hijacked.

The downside is that there's a bunch of numbers to input on the card reader but I would say it's almost foolproof security-wise.

These days, attacks are becoming increasingly sophisticated and the level of security required by banks has not really increased as the level of sophistication and tech savvy of their customers has not increased.

If the banks were to team up with an established and/or hungry VM software vendor such as VMWare or Oracle (current VirtualBox owner), perhaps a "program" which is actually a carefully created VM host application which contains a securely locked down VM running within, could better serve the needs o

Doesn't work – you can modify the VM's memory contents and read/mutate its I/O operations from the host machine. It would in many respects make the attacker's job easier as they would only have one OS/browser version to go at.

A live CD doesn't store useful information and requires rebooting... yeah, still, probably a better idea... or even a flash drive with live OS on it. At least in that case, reports can be generated and placed on an area of the drive readable by the user so they can import/export their quickbooks or what-not.

Wow... seriously? You don't think I know what I am talking about? Been on here a long time and probably in the industry longer than you have been alive.

Yes, a VM... a VM appliance, more precisely. There is already VMWare player and there is already free VM host software out there. The trick would be to package up the VM files and the player/host into a single package that can be run conveniently and simply. I could be a pointy-haired boss and still know that this is a workable solution. Hell, there wa

Excellent, so next time I perform monetary operations, the computer's going to start asking me trivia questions? I like the idea of requiring anyone who handles money to actually have a brain... oh wait, now we have Watson. Wait til the hackers link trivia captcha with Watson. We're all screwed, unless... we filter all answers that begin with "what/who/where is".

reads like a FUD based infomercial.
No mention of the banks targeted, how to detect an infection, vulnerable OSs... just the alarm sounding of a problem they appear to be in unique position to solve.
how conveeeenient.

"The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc."